There is a new piece of malware attempting to guess WordPress account credentials. You can recognize it by its odd user-agent header. Here is the first one I saw:
All subsequent occurrences have been identical other than the hexadecimal value inside the parentheses.
The first incidence of this user-agent on my site occurred at 2015-09-02T07:35:06 UTC; that is, ten days ago. Since then I’ve seen at least 241 attacks with that signature (see note below). Googling for
"Parser::Template::Auto=CODE" (including the quotes) returns a lot of hits from web log analysis tools. I didn’t see any predating the first instance I found in my logs. Which isn’t to say there aren’t any but it’s pretty clear this malware probably started attacking within a day or two of the first attack my system logged. Which is to say, around September 1st.
Of those 241 attacks the breakdown by country is
46 NL 43 FR 34 US 25 CH 24 DE 18 GB 13 SE 11 RO 5 CZ 3 LU 3 CA 2 UA 2 RU 2 PL 2 MD 2 FI 2 BY 1 SK 1 HU 1 ES 1 AT
More interesting is that 218, 90%, of those 241 attacks originated from ToR exit nodes. The remaining 23, 10%, are probably ToR exit nodes since they originate from cloud hosting providers with known ToR exit nodes and whose reverse-DNS (rDNS) host names are generic (e.g., ovh.net addresses) or highly suggestive (e.g., privateinternetaccess.com).
Based on the double colons and
CODE token I am confident this is from a Perl language module meant to convert templates into concrete text. Most likely the person using the module made a mistake in how they invoke the method thus causing the module to emit a diagnostic rather than the expected interpolated template. However, I did a bit of Googling and searching CPAN and could not find a published module with that signature. So another possibility is this is a module written by the malware author.
Note: I say “at least 241 attacks” because I installed the Mac OS X El Capitan “golden master” release during this period which resulted in my losing almost a full days worth of Apache logs.
P.S., The address 18.104.22.168 shows up in my logs with this attack signature. That address is owned by MiT and resolves to hostname
zscore.mit.edu. That does not appear to be a known ToR exit node but MiT does have many known ToR exit nodes so I would not be surprised if this address was simply not yet classified as such.